The European Union’s Artificial Intelligence Act, often shortened to the EU AI Act, is the first comprehensive horizontal regulation of artificial intelligence in any major jurisdiction. It entered into force in August 2024, with provisions phasing in over several years. It was not written specifically about AI companion apps, but several of its provisions apply to them directly, and the broader framework sets the regulatory floor for any companion-app operator with users inside the European Union.

This piece is a plain-language summary of what the Act requires that is relevant to AI companions, who is affected, what the timeline looks like, and where the open questions sit. Verify any specific provision against the official consolidated text published in the Official Journal of the European Union, because legislative drafting and implementation guidance both keep moving.

If you have time for one paragraph: companion apps fall mostly into the AI Act’s transparency category, which means users must be told clearly that they are interacting with AI. The Act also prohibits AI systems that materially exploit the vulnerabilities of users (including by reason of age or disability) in ways that cause significant harm, which is the provision most likely to bite on companion apps that engage minors or distressed users in problematic ways. Underlying foundation models carry their own obligations under the Act’s general-purpose AI rules. Data protection remains governed by the GDPR, which predates the AI Act and continues to apply in parallel.

What the AI Act is

The AI Act is a single piece of EU regulation that classifies AI systems by risk and assigns obligations to providers and deployers based on that classification. The four categories are prohibited (a short list of unacceptable practices), high-risk (subject to detailed conformity and oversight obligations), limited-risk (subject mainly to transparency obligations), and minimal-risk (largely unregulated by the Act).

It is a horizontal regulation, meaning it applies across sectors rather than being industry-specific. It is also extraterritorial in effect, similar to the GDPR: providers of AI systems outside the EU are subject to the Act if they place their systems on the EU market or if their output is used within the EU. A companion app operated from the United States with European users is squarely in scope.

The Act sits alongside other EU instruments that already apply to companion apps. The General Data Protection Regulation (GDPR) governs personal data processing. The Digital Services Act (DSA) governs hosting and intermediary services. National consumer-protection law and product-liability law continue to apply. The AI Act adds a new layer; it does not replace the existing ones.

Where AI companion apps sit in the risk tiers

Companion apps are not on the prohibited list as a category, and they are not classified as high-risk by default. The Act’s high-risk list focuses on use cases like critical infrastructure, employment decisions, law enforcement, biometrics, and education in formal-credential contexts. AI companions for general consumer use are not on that list.

The category that does apply is the transparency tier. AI systems intended to interact with natural persons are required to be designed and operated so that the person is informed they are interacting with an AI, unless this is obvious from the context. For a Replika or Kindroid or Character.AI session, the obligation is to make the AI nature of the interlocutor clear and to keep it clear, not just at signup but as the user keeps using the product.

A small subset of companion-app behavior may overlap with the prohibited category. The Act prohibits AI systems that deploy subliminal or manipulative techniques, or that exploit the vulnerabilities of a person or specific group (including by age, disability, or social or economic situation), in ways that materially distort behavior and cause significant harm. Whether a particular companion-app design crosses this line is a fact-specific question, and the European Commission’s implementation guidance is what will determine where the line actually sits.

The general-purpose AI layer

Most companion apps run on top of foundation models that were not trained by the companion-app operator. The Act assigns its own set of obligations to providers of general-purpose AI models, including transparency obligations about training data and copyright compliance, and additional obligations for the largest models that present systemic risk.

For a companion-app operator, the practical implication is that the underlying-model providers (OpenAI, Anthropic, Mistral, the open-weight ecosystem) carry their own compliance burden, and downstream operators have to keep documentation about which models they use and how. For users, the implication is that the foundation-model layer of the companion-app stack is now under formal supervision in the EU, even though most users will never see this directly.

The timeline

Implementation is phased. The prohibitions on unacceptable AI practices became applicable in early 2025. The general-purpose AI obligations followed later in 2025. The full set of obligations on high-risk systems, conformity assessment, and the broader supervisory structure phase in over the following years, with the most consequential dates falling in 2026 and 2027. National competent authorities and the EU AI Office are still being staffed and standing up enforcement processes.

The current phase, mid-2026, is the period in which transparency obligations, prohibitions, and general-purpose AI rules are live, while many of the detailed implementing acts and harmonized standards are still being finalized. Companion-app operators with EU users should treat this as the period for getting baseline transparency and disclosure right, and for tracking the implementing acts as they are published.

What companion-app operators should be doing

The honest read is that most of what the AI Act requires of companion apps in the EU is what conscientious operators should already be doing, with a couple of additions.

Visible, persistent disclosure that the user is interacting with AI, in language the user can understand. Clear documentation of what the system is, what data it collects, and how. Reasonable design choices that avoid exploiting vulnerable users, especially minors and people in distress. Documentation of the foundation models used and how. Compliance with the GDPR in parallel, which is its own substantial body of obligations.

The areas most likely to require new work are the formal documentation, the detailed risk assessments where they apply, and the readiness for supervisory inquiry. Larger operators will hire compliance staff for this. Smaller operators will struggle, which is itself a policy effect of the Act and a concern advocacy groups have raised.

What this means for users in Europe

For most everyday use of a companion app, the visible effect of the AI Act will be modest. Disclosures will be more prominent. Some operators will tighten their products in ways that feel like friction, particularly around minors and around mental-health-adjacent content. The DSA’s parallel obligations will make some platform behavior more transparent.

For users specifically interested in privacy, data export, deletion rights, and the ability to ask what data is held about them, the GDPR (not the AI Act) is the instrument that gives those rights. Most reputable operators provide GDPR-compliant data tools regardless of where the user is, but EU users have direct legal rights backed by national data-protection authorities.

For users in vulnerable circumstances, including minors and people in mental-health distress, the AI Act’s prohibitions on exploiting vulnerabilities are the provision most likely to matter. How they get enforced in practice depends on the European Commission’s guidance and on national-authority casework that has not yet happened.

We covered the broader regulatory landscape and the parallel US conversation in California SB 243 Explained, the underlying mental-health research backdrop in AI Companions and Mental Health, and the related European data-protection action against Replika in Replika and the Italian Garante.

What the Act does not do

A few common misreadings are worth heading off.

The Act does not ban AI companions. They are not on the prohibited list. The transparency tier they fall into is a relatively light-touch regulatory category compared with the high-risk tier.

The Act does not establish a content-moderation regime for AI-generated material. Some content questions are addressed in the DSA and in copyright law, not in the AI Act.

The Act does not replace the GDPR. Data protection remains governed by the GDPR, which has been in force since 2018 and continues to apply to companion apps in full.

The Act does not, by itself, resolve the mental-health questions that drive much of the public conversation about companion apps. Whether AI companion use is good or bad for users in clinical or sub-clinical distress is an empirical question that regulation cannot answer; it is a research question. We covered the relevant research in the 2025 OpenAI/MIT study summary and in the Stanford Replika study.

Where the open questions sit

Several things are still being worked out and worth tracking if you care about this space.

The implementing acts and harmonized standards under the AI Act are being developed by the European Commission and the European standardization bodies. These will determine many of the practical details of how the Act applies to specific products, including companion apps.

The interpretation of the prohibition on exploiting vulnerabilities is the most consequential interpretive question for our category. Where the European Commission and national authorities draw the line will shape product design for any operator with EU users.

The interaction between the AI Act, the DSA, the GDPR, and national consumer-protection law produces edge cases that have not yet been litigated. The first round of enforcement actions and court decisions over the next few years will fill in the picture.

The relationship to non-EU regulation, particularly California SB 243 and any federal US action, will determine how much of the global product surface is shaped by Brussels versus Sacramento versus Washington.

FAQ

Does the AI Act apply to companion apps?

Yes, although they are not classified as high-risk by default. The transparency tier applies, and the prohibitions on exploiting vulnerabilities can apply depending on design.

Does it apply to a US-based companion app with European users?

Generally yes. The Act has extraterritorial reach similar to the GDPR. Operators outside the EU are in scope if they place their systems on the EU market or their output is used in the EU.

Are companion apps banned in Europe?

No. The Act does not place general-purpose consumer companion apps on the prohibited list.

What about my data?

The GDPR governs personal data, not the AI Act. Your rights to access, deletion, and portability come from the GDPR. EU users have direct rights enforceable through national data-protection authorities.

When does the AI Act take effect?

It is phased. Prohibitions and general-purpose AI obligations are already live as of 2025. Many other obligations phase in across 2026 and 2027. The full picture will be in place by the end of the implementation period.

Is this the same as California SB 243?

No, separate. They share the spirit on disclosure and transparency, but the legal frameworks are different. We covered the California bill in its own piece.

Where to read the primary documents

The official consolidated text of the AI Act is published in the Official Journal of the European Union and is available through EUR-Lex (eur-lex.europa.eu). The European Commission maintains an explanatory landing page for the Act on its digital-strategy site (digital-strategy.ec.europa.eu). The European AI Office, which coordinates implementation and supervision of general-purpose AI obligations, publishes ongoing guidance.

For any specific provision, prefer the consolidated text and the official Commission guidance over secondary summaries, including this one.

California SB 243 Explained for the parallel US-state regulatory work.

Replika and the Italian Garante for an earlier European data-protection action against a companion app.

Garcia v. Character Technologies for the parallel US litigation that has shaped the policy conversation.

AI Companions and Mental Health for the research backdrop the regulation is responding to.

The 2025 OpenAI/MIT study for the most-cited recent empirical work.

If you are tracking the AI Act and have implementing-act updates or enforcement actions we should cover, write us at the contact form. Corrections are made quickly; reviews are not.